CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.
Last updated
Overview
Chip designers often include design elements in a chip for debugging and troubleshooting such as: Various Test Access Ports (TAPs) which allow boundary scan commands to be executed. Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip. Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
- Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain
- Step 2Experiment
[Connect to debug interface] The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.
- Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator
- Step 3Exploit
[Move along debug chain] Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.
- Run a command such as “scan_chain” to see what TAPs are available in the chain.
What the attacker needs
Prerequisites
- Hardware device has an exposed debug interface
Skills required
- Medium skill: Ability to identify physical debug interfaces on a device
- Medium skill: Ability to operate devices to scan and connect to an exposed debug interface
Resources required
- A device to scan a TAP or JTAG interface, such as a JTAGulator
- A device to communicate on a TAP or JTAG interface, such as a BusPirate
Consequences
What a successful CAPEC-702 attack can achieve.
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
Gain Privileges
Affects: Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-702.
- Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels
- Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users
Examples
A System-on-Chip (SoC) might give regular users access to the SoC-level TAP, but does not want to give access to all of the internal TAPs (e.g., Core). If any of the internal TAPs were incorrectly chained to the SoC-level TAP, this would grant regular users access to the internal TAPs and allow them to execute commands there.
Suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented, and the attacker can gain unauthorized access.
Frequently asked questions
Common questions about CAPEC-702.
- What is CAPEC-702?
- An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.
- How does a Exploiting Incorrect Chaining or Granularity of Hardware Debug Components attack work?
- It typically unfolds over 3 phases. It begins with: [Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
- How do you prevent CAPEC-702?
- Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels
- What weaknesses does CAPEC-702 target?
- CAPEC-702 exploits 1 CWE weakness, including CWE-1296 (Incorrect Chaining or Granularity of Debug Components).
- How severe is CAPEC-702?
- MITRE rates CAPEC-702 as Medium severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-702
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.